opencloud-eu
Disabling and deleting Spaces with API when UI for disabling and deleting space is not shown in context menu
Describe the bug
You can delete a Space via API even when the WebUI does not show the menu items to delete a space.
OpenCloud 3.4.0 OpenCloud Web UI 3.2.0
Steps to reproduce deleting via UI without reloading the browser
- Create a space
- Disable the space via context menu
- Delete the space via context menu
Steps to reproduce deleting via API
- Create a space
- Disable the space
- Reload the Browser (otherwise the context menu to disable and delete the space is still there)
- After reloading the contextmenu items are gone. And it seems the permissions are missing. Are they?
- Copy a deletion API request. Put in disabled Space ID. Run CURL in the terminal
- Space deleted even when the UI was disabled.
Here is our custom role setup:
(This is the normal user. we just changed the Drives.Create constraint
from
"constraint": "CONSTRAINT_OWN"
to
"constraint": "CONSTRAINT_ALL"
Extension:
{
"id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
"name": "Drives.Create",
"displayName": "Create Space",
"description": "This permission allows creating new spaces.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "b05e4935-0d1f-4c4c-9ba1-4aa48beb1a21",
"name": "spaceoperator",
"type": "TYPE_ROLE",
"extension": "opencloud-roles",
"displayName": "Space Operator",
"settings": [
{
"id": "4e41363c-a058-40a5-aec8-958897511209",
"name": "AutoAcceptShares.ReadWriteDisabled",
"displayName": "enable/disable auto accept shares",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "ec3ed4a3-3946-4efc-8f9f-76d38b12d3a9"
}
},
{
"id": "11516bbd-7157-49e1-b6ac-d00c820f980b",
"name": "PublicLink.Write",
"displayName": "Write publiclink",
"description": "This permission allows creating public links.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SHARE"
}
},
{
"id": "069c08b1-e31f-4799-9ed6-194b310e7244",
"name": "Shares.Write",
"displayName": "Write share",
"description": "This permission allows creating shares.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SHARE"
}
},
{
"id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
"name": "Drives.Create",
"displayName": "Create Space",
"description": "This permission allows creating new spaces.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "ad5bb5e5-dc13-4cd3-9304-09a424564ea8",
"name": "EmailNotifications.ReadWriteDisabled",
"displayName": "Disable Email Notifications",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "33ffb5d6-cd07-4dc0-afb0-84f7559ae438"
}
},
{
"id": "7dc204ee-799a-43b6-b85d-425fb3b1fa5a",
"name": "EmailSendingInterval.ReadWrite",
"displayName": "Email Sending Interval",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "08dec2fe-3f97-42a9-9d1b-500855e92f25"
}
},
{
"id": "8a50540c-1cdd-481f-b85f-44654393c8f0",
"name": "Event.ShareCreated.ReadWrite",
"displayName": "Event Share Created",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "872d8ef6-6f2a-42ab-af7d-f53cc81d7046"
}
},
{
"id": "5ef55465-8e39-4a6c-ba97-1d19f5b07116",
"name": "Event.ShareRemoved.ReadWrite",
"displayName": "Event Share Removed",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "d7484394-8321-4c84-9677-741ba71e1f80"
}
},
{
"id": "7d4f961b-d471-451b-b1fd-ac6a9d59ce88",
"name": "Event.ShareExpired.ReadWrite",
"displayName": "Event Share Expired",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "e1aa0b7c-1b0f-4072-9325-c643c89fee4e"
}
},
{
"id": "feb16d2c-614c-4f79-ac37-755a028f5616",
"name": "Event.SpaceShared.ReadWrite",
"displayName": "Event Space Shared",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "694d5ee1-a41c-448c-8d14-396b95d2a918"
}
},
{
"id": "4f979732-631b-4f27-9be7-a89fb223a6d2",
"name": "Event.SpaceUnshared.ReadWrite",
"displayName": "Event Space Unshared",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "26c20e0e-98df-4483-8a77-759b3a766af0"
}
},
{
"id": "a3cc45bf-9720-4e08-b403-b9133fe33f0b",
"name": "Event.SpaceMembershipExpired.ReadWrite",
"displayName": "Event Space Membership Expired",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "7275921e-b737-4074-ba91-3c2983be3edd"
}
},
{
"id": "896194c2-5055-4ea3-94a3-0a1419187a00",
"name": "Event.SpaceDisabled.ReadWrite",
"displayName": "Event Space Disabled",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "eb5c716e-03be-42c6-9ed1-1105d24e109f"
}
},
{
"id": "2083c280-b140-4b73-a931-9a4af2931531",
"name": "Event.SpaceDeleted.ReadWrite",
"displayName": "Event Space Deleted",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "094ceca9-5a00-40ba-bb1a-bbc7bccd39ee"
}
},
{
"id": "27ba8e97-0bdf-4b18-97d4-df44c9568cda",
"name": "Event.PostprocessingStepFinished.ReadWrite",
"displayName": "Event Postprocessing Step Finished",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "fe0a3011-d886-49c8-b797-33d02fa426ef"
}
},
{
"id": "7d81f103-0488-4853-bce5-98dcce36d649",
"name": "Language.ReadWrite",
"displayName": "Permission to read and set the language",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
}
},
{
"id": "4ebaa725-bfaa-43c5-9817-78bc9994bde4",
"name": "Favorites.List",
"displayName": "List Favorites",
"description": "This permission allows listing favorites.",
"permissionValue": {
"operation": "OPERATION_READ",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e",
"name": "Self.ReadWrite",
"displayName": "Self Management",
"description": "This permission gives access to self management.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_USER",
"id": "me"
}
},
{
"id": "a54778fd-1c45-47f0-892d-655caf5236f2",
"name": "Favorites.Write",
"displayName": "Write Favorites",
"description": "This permission allows marking files as favorites.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_FILE"
}
}
],
"resource": {
"type": "TYPE_SYSTEM"
}
}
So your expectation is that a user with Drives.Create permission and CONSTRAINT_ALL can create and disable spaces, but not delete them?
You may need to add additional permissions, such as: Drives.List Drives.ReadWrite Drives.ReadWriteEnabled
if you call POST https://demo.opencloud.eu/api/v0/settings/roles-list you can see all Space Admin permissions:
{
"id": "2aadd357-682c-406b-8874-293091995fdd",
"name": "spaceadmin",
"type": "TYPE_ROLE",
"extension": "opencloud-roles",
"displayName": "Space Admin",
"settings": [
{
"id": "4e41363c-a058-40a5-aec8-958897511209",
"name": "AutoAcceptShares.ReadWriteDisabled",
"displayName": "enable/disable auto accept shares",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "ec3ed4a3-3946-4efc-8f9f-76d38b12d3a9"
}
},
{
"id": "11516bbd-7157-49e1-b6ac-d00c820f980b",
"name": "PublicLink.Write",
"displayName": "Write publiclink",
"description": "This permission allows creating public links.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SHARE"
}
},
{
"id": "069c08b1-e31f-4799-9ed6-194b310e7244",
"name": "Shares.Write",
"displayName": "Write share",
"description": "This permission allows creating shares.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SHARE"
}
},
{
"id": "79e13b30-3e22-11eb-bc51-0b9f0bad9a58",
"name": "Drives.Create",
"displayName": "Create Space",
"description": "This permission allows creating new spaces.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "fb60b004-c1fa-4f09-bf87-55ce7d46ac61",
"name": "Drives.DeleteProject",
"displayName": "Delete AllSpaces",
"description": "This permission allows deleting all spaces.",
"permissionValue": {
"operation": "OPERATION_DELETE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "e9a697c5-c67b-40fc-982b-bcf628e9916d",
"name": "ReadOnlyPublicLinkPassword.Delete",
"displayName": "Delete Read-Only Public link password",
"description": "This permission permits to opt out of a public link password enforcement.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SHARE"
}
},
{
"id": "ad5bb5e5-dc13-4cd3-9304-09a424564ea8",
"name": "EmailNotifications.ReadWriteDisabled",
"displayName": "Disable Email Notifications",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "33ffb5d6-cd07-4dc0-afb0-84f7559ae438"
}
},
{
"id": "7dc204ee-799a-43b6-b85d-425fb3b1fa5a",
"name": "EmailSendingInterval.ReadWrite",
"displayName": "Email Sending Interval",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "08dec2fe-3f97-42a9-9d1b-500855e92f25"
}
},
{
"id": "8a50540c-1cdd-481f-b85f-44654393c8f0",
"name": "Event.ShareCreated.ReadWrite",
"displayName": "Event Share Created",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "872d8ef6-6f2a-42ab-af7d-f53cc81d7046"
}
},
{
"id": "5ef55465-8e39-4a6c-ba97-1d19f5b07116",
"name": "Event.ShareRemoved.ReadWrite",
"displayName": "Event Share Removed",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "d7484394-8321-4c84-9677-741ba71e1f80"
}
},
{
"id": "7d4f961b-d471-451b-b1fd-ac6a9d59ce88",
"name": "Event.ShareExpired.ReadWrite",
"displayName": "Event Share Expired",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "e1aa0b7c-1b0f-4072-9325-c643c89fee4e"
}
},
{
"id": "feb16d2c-614c-4f79-ac37-755a028f5616",
"name": "Event.SpaceShared.ReadWrite",
"displayName": "Event Space Shared",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "694d5ee1-a41c-448c-8d14-396b95d2a918"
}
},
{
"id": "4f979732-631b-4f27-9be7-a89fb223a6d2",
"name": "Event.SpaceUnshared.ReadWrite",
"displayName": "Event Space Unshared",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "26c20e0e-98df-4483-8a77-759b3a766af0"
}
},
{
"id": "a3cc45bf-9720-4e08-b403-b9133fe33f0b",
"name": "Event.SpaceMembershipExpired.ReadWrite",
"displayName": "Event Space Membership Expired",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "7275921e-b737-4074-ba91-3c2983be3edd"
}
},
{
"id": "896194c2-5055-4ea3-94a3-0a1419187a00",
"name": "Event.SpaceDisabled.ReadWrite",
"displayName": "Event Space Disabled",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "eb5c716e-03be-42c6-9ed1-1105d24e109f"
}
},
{
"id": "2083c280-b140-4b73-a931-9a4af2931531",
"name": "Event.SpaceDeleted.ReadWrite",
"displayName": "Event Space Deleted",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "094ceca9-5a00-40ba-bb1a-bbc7bccd39ee"
}
},
{
"id": "27ba8e97-0bdf-4b18-97d4-df44c9568cda",
"name": "Event.PostprocessingStepFinished.ReadWrite",
"displayName": "Event Postprocessing Step Finished",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "fe0a3011-d886-49c8-b797-33d02fa426ef"
}
},
{
"id": "7d81f103-0488-4853-bce5-98dcce36d649",
"name": "Language.ReadWrite",
"displayName": "Permission to read and set the language",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SETTING",
"id": "aa8cfbe5-95d4-4f7e-a032-c3c01f5f062f"
}
},
{
"id": "4ebaa725-bfaa-43c5-9817-78bc9994bde4",
"name": "Favorites.List",
"displayName": "List Favorites",
"description": "This permission allows listing favorites.",
"permissionValue": {
"operation": "OPERATION_READ",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "016f6ddd-9501-4a0a-8ebe-64a20ee8ec82",
"name": "Drives.List",
"displayName": "List All Spaces",
"description": "This permission allows listing all spaces.",
"permissionValue": {
"operation": "OPERATION_READ",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "b44b4054-31a2-42b8-bb71-968b15cfbd4f",
"name": "Drives.ReadWrite",
"displayName": "Manage space properties",
"description": "This permission allows managing space properties such as name and description.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "e03070e9-4362-4cc6-a872-1c7cb2eb2b8e",
"name": "Self.ReadWrite",
"displayName": "Self Management",
"description": "This permission gives access to self management.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_USER",
"id": "me"
}
},
{
"id": "977f0ae6-0da2-4856-93f3-22e0a8482489",
"name": "Drives.ReadWriteProjectQuota",
"displayName": "Set Project Space Quota",
"description": "This permission allows managing project space quotas.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "cf3faa8c-50d9-4f84-9650-ff9faf21aa9d",
"name": "Drives.ReadWriteEnabled",
"displayName": "Space ability",
"description": "This permission allows enabling and disabling spaces.",
"permissionValue": {
"operation": "OPERATION_READWRITE",
"constraint": "CONSTRAINT_ALL"
},
"resource": {
"type": "TYPE_SYSTEM"
}
},
{
"id": "a54778fd-1c45-47f0-892d-655caf5236f2",
"name": "Favorites.Write",
"displayName": "Write Favorites",
"description": "This permission allows marking files as favorites.",
"permissionValue": {
"operation": "OPERATION_WRITE",
"constraint": "CONSTRAINT_OWN"
},
"resource": {
"type": "TYPE_FILE"
}
}
],
"resource": {
"type": "TYPE_SYSTEM"
}
},
Hi, I manage the installation from @christophwolff and wanted to add some more information and to clear things up.
So your expectation is that a user with Drives.Create permission and CONSTRAINT_ALL can create and disable spaces, but not delete them?
No, the user should at lease can create, disable, enable and delete his "own" spaces (Space the user can manage). Which works fine when you operate without a page refresh. See screenshot. Disable/Activate/Delete all work fine.
The issue is, the context menu in the frontend is disappearing after a page refresh. See Screenshot. But the user is still able to activate or delete the space via API call. Because the user `can manage` the space that would make sense.
In order to see the context menu after the refresh, you need Drives.ReadWriteEnabled like @ScharfViktor suggested.
But this allows to disable ALL spaces, not just the ones the user has can manage. The user does not see or can access the spaces' admin menu, but is able to disable all spaces where the permissions are can view or can editor can manage. See screenshot.
I believe this is a bug! The user should not be able to do this. See below, delete and reactivate are not allowed.
So, the user is able to deactivate ANY space he/she is a member of. He/she is not able to delete the space afterward, but still sees the delete option in the menu. Which makes sense because he/she does not have the permissions to delete other spaces just by having Drives.ReadWriteEnabled See Screenshot.
As mentioned above, the user is unable to reactivate the space. See screenshot
So either the Drives.ReadWriteEnabled permission is an "admin" permission and allows for all space you are a member of to be deactivated and reactivated. Regardless of space permissions. Then the reactivation needs to be fixed.
In this case, I don't want to give it to a user.
Then the context menu needs to be fixed /shown in the frontend when the user deactivated a space with can manage and refreshes the page.
Or
It acts in conjunction with the space permission can manage. Then the deactivation of spaces you are only can view can edit needs to be removed. As the actual permissions to deactivate and the context menu needs to be removed too.
Hope this is not too complicated of an explanation.
Feel free to ask if something is unclear.
Then I would say this is a feature request, not a bug.
Right now we have the following roles:
- admin
- space admin → can
create/disable/deleteall project spaces; has access toAdmin Settings → Spaces - user → cannot
create/disable/deleteproject spaces; has no access toAdmin Settings → Spaces - userlight
New feature proposal: Add a new role: user + project space creator
Expected: user with this role should be able to create/disable/delete/set quota/etc only own project spaces or spaces where he/she can manage (it's space role). He/she should not have access to Admin Settings → Spaces, to don’t see other project spaces.
I don't see how this is a feature request. You're allowed to create your own roles using the bundles.json. I don't need this role baked into the source code. Why offer a bundles.json to mix and match your permissions when it's not working properly? Also, I just tried it with a normal user role, same problem it has nothing to do with the custom role we have created.
I just expect the frontend to be visually inline with what the user can do via API. The context menu entries are missing. Plain and simple. (After a browser refresh) This is the bug.
Like I mentioned above, forget the role we have created. Even a User cannot see the context menu after deactivating the space, even with can mange permission in the space. It basically has nothing to do with our role. That's just for creating space.
It also clearly states here
https://github.com/opencloud-eu/reva/blob/main/pkg/storage/utils/decomposedfs/spaces.go#L1115-L1116
// - a project space can always be enabled/disabled/deleted by its manager (i.e. users have the "remove" grant)
Which is working fine via API the user has all the permission to do this actions activate/deactivate/delete via API just not via the Frontend.
I stand by what I said, this should be considered a bug. I should be able to do this via the frontend.
I just tried it on demo.opencloud.eu
A user cannot re-enable or delete a space once it was deactivated and the browser was refreshed. It has nothing to do to with our role.
This is a different issue
Why I'm I allowed to disable spaces with Drives.ReadWriteEnabled but not readable them.
Something is a bit wired here.
Hope you have another look into this issue.
I don't see how this is a feature request. You're allowed to create your own roles using the bundles.json. I don't need this role baked into the source code. Why offer a bundles.json to mix and match your permissions when it's not working properly? Also, I just tried it with a normal user role, same problem it has nothing to do with the custom role we have created.
You're right, sorry. We’ve reclassified it as a bug and will look into fixing it as soon as possible.